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COMMUNICATION SYSTEM, COMMUNICATION TERMINAL COMPRISING 
VIRTUAL NETWORK SWITCH, AND PORTABLE ELECTRONIC DEVICE 
COMPRISING ORGANISM RECOGNITION UNIT 

FIELD OF THE INVENTION 

The present invention pertains to a communication system comprising a 
communication terminal equipped with a network communication function and a portable 
electronic device capable of communicating with the communication terminal. 
Specifically, it pertains to a communication system capable of accessing various types of 
networks utilizing the communication terminal according to a communication security 
level preset in the portable electronic device. 

BACKGROUND OF THE INVENTION 

Conventionally, it is generally the case that the software and its setting 
information, etc. needed when connecting a communication device to a public network 
such as the Internet, etc. for communication are all preloaded in the communication 
device, or are temporarily installed in the communication device, and the software is 
operated in the communication device. When ensuring security during communication 
[[too]], the software for ensuring security is preloaded or temporarily installed in the 
communication device. 

Such m e ans of e nsuring Ensuring security during communication also includes 
VPN technology, which ensures security by utilizing some shared circuits as virtual 
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dedicated circuits by using specially encrypted data to communicate with the other party; 
firewall technology, which prevents information exchange with unwanted others during 
communication; illegal virus removal technology, which checks whether or not malicious 
virus software is hidden in exchanged data and removes it, etc. 

IP-VPN technology is widely used in VPN technology in order to prevent the risk 
of data being surreptitiously monitored or falsified by th e many unknown strangers when 
communicating on the Internet. When IP-VPN technology is used, a network engineer 
installs prespecified VPN client software in the communication terminal of the client 
terminal that is to communicate and makes the necessary settings, thereby enabling 
connection with a specified VPN gateway device. When the client terminal 
communicates with a remote location, it [[has]] employs encrypted communication via 
the VPN gateway device, thereby making it possible to communicate safely with the 
remote location over the Internet. 

Also, with With firewall technology it is possible to do simple settings using 
software that is normally loaded in the OS of a communication terminal in advance. But 
when used in a company, etc., it is generally the case that firewall software is purchased 
and put in each communication terminal, or is set up at the entry to a network and used to 
protect the network itself. Both cases generally require settings be made in advance by an 
expert, so typically this is a protective method targeting a specific terminal or a specific 
network. 

In addition, illegal virus removal technology is generally such that, like the 
aforesaid firewall technology, the virus removal software is put in a communication 
terminal in advance and the removal operation is performed periodically, or the virus 
removal software is put in a specific server device on a network and viruses are 
eliminated at the server when communicating via that device. 

Conventional technology often assumes that when communication begins, all of 
the software needed has already been loaded into the network device. Nevertheless, there 
are a vast number of m e ans for ways of connecting to a network, which is typically the 
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Internet in today's society, and individuals can freely utilize networks at their own 
volition without going through a network device that is pre-controlled by a network 
administrator. Th e curr e nt situation is that Currently, network control and information 
control in a limited area by a network administrator is a in practice^ meaningless[[, and]].. 
Thus, there is an urgent need to provide a n e twork management moans to the individual 
hims e lf who is trying to access a network , network management tools . Nowadays, 
Internet cafes and public wireless services ar e b e ing provid e d; it provide network access. 
It is difficult to know to what extent the companies that operate and manage the circuits 
and terminals of such cafes and services have taken security protective measures fef 
s ecurity and it . It appears desirable that when someone is using a communication 
terminal, that person should provide his own protective measures. 

Meanwhile, from the standpoint of the processing ability of the communication 
terminal itself, the following sort of difficulties arise. That is, th e The processing ability 
required of the software and hardware in a communication terminal is steadily increasing, 
year after yea r, and th e . Th e processing ability of the communication terminal [[too]] is 
likewise steadily rising along with this. N e v e rtheless, e v e n . Even though the processing 
ability of the communication terminal is increasing, when a single communication 
terminal does all sorts of tasks, this limits the communication terminal's ability to execute 
applications that it is supposed to execute for a user is limited , and som e tim e s . 
Sometimes there are tasks related to communication that must be executed. 

The amount of transmitted information [ transmitt e d] has increased as networks 
have become faster, and there is a tendency for problems created by this increase to occur 
more frequently. Also, from From the user's standpoint, the problem created by [[such]] 
the delays in executing some tasks becomes the reason n e c e ssitating purchas e for 
purchasing a new communication terminal [[, so]] . As a result, efficiency is bad. Also, in 
the case of a user who communicates using many communication terminals, the state of 
the communication environment becomes dependent on the abilities of individual 
terminals[[, so]] . As a result, network quality is unavoidably unstable. 
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When communicating using individual security technologies, such as VPN 
technology, for example, one must assume that VPN client software has been installed in 
the client terminal and that the necessary communication settings have already been 
made. These communication settings are usually very detailed network t e chnology 
configurations , and are difficult to set unless one knows all of the setting information 
needed by the destination VPN gateway. 

As a result, terminals using VPN communication are limited to information 
terminals that a company has preset and assigned to an employee. Unless an employee 
carries around [[this]] th e assign e d information terminal, it is impossible in practice to 
communicate with company resources using a VPN connection. The only solutions fef 
this are for the employee to make a low-speed dial-up connection using a public circuit, 
or to do a limited mail access using a service provided by a third-party Internet service 
provider, wireless telephone carrier, etc. that is not affected by the company 
administrator's security management. However, such methods are basically risky for the 
network administrator and not desirable. 

Also, the various types of communication setting information set in VPN client 
software can easily be accessed by a third party other than the communication terminal 
owner if it passes through a simple security check. Therefore a malicious third party 
could intercept the setting information with relative ease from the terminal of a careless 
client terminal owner, set another terminal, [[and]] connect with the VPN gateway, and 
thereby be able to access the company's confidential data. 

Furthermore, when utilizing firewalls or virus removal software, [[with]] 
employing conventional technology there are limits to the networks and communication 
terminals on which they can be used. The current situation is that there is no means for 
safely using the ubiquitous Internet without restricting the communication terminal itself 
that is actually communicating. 
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SUMMARY OF THE INVENTION 

Th e obj e ct of th e The present invention , in light of the aforesaid points, is directed 
to provid e providing a communication system capable of communicating at the desired 
security level using a communication terminal without the assumption that all of the 
necessary software has been preloaded in the communication terminal equipped with a 
communication function, and to provide a communication terminal and portable 
electronic device for use in this communication system. 

In ord e r to achi e v e the afor e said obj e ct, the inventiv e An exemplary embodiment 
of the communication system is characterized as comprising: — A by: a communication 
terminal comprising including a network connection m e ans connector , and [[A]] a 
portable electronic device capable of communicating with the communication 
terminalfkJLThe afor e said communication terminal comprises a virtual network switch 
that can forcibly alter the destination of data transmitted to and from a network connected 
via the afor e said network connection means?. The afor e said portable electronic device 
compris e s a s e curity ensuring m e ans for includes a security ensurer for ensuring 
communication security to and from the aforesaid network using the afor e said 
communication terminal[[; and]]^The afor e said communication terminal transmits data 
to and from the afor e said network via the afor e said virtual network switch and the 
aforesaid portabl e e l e ctronic d e vic e 's aforesaid security ensuring means security ensurer 
of the portable electronic device. 

The aforesaid security e nsuring means ensurer can include a VPN [[means]] 
module , ayirus removal [[means]] module , and /or a firewall [[means]] , for example . 

Also, th e afor e said The virtual network switch can be a virtual IP switch 
incorporated into the network layer in the OSI 7-layer model in TCP/IP, the standard 
Internet protocol , for example . [[This]] Such a virtual IP switch is charact e riz e d in that it 
transf e rs can transfer packets received from the afor e said network to a higher transport 
layer or to the portable electronic device according to preset parameters, and returns 
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packets from the afor e said portable electronic device to a higher transport layer or to the 
afor e said network that was the transmission source according to preset parameters. 

[[Next]] Preferably , the inventive communication system, in addition to the 
aforesaid constitution, is characterized in that by the checking of the security of the 
aforesaid communication terminal f s storage medium and applications [[is]] being 
performed by the afor e said portable electronic device's aforesaid security ensuring means 
ensurer via the afor e said virtual network switch. 

Also, the afor e said portable electronic device preferably comprises an organism 
recognition device such as a fingerprint sensor, etc., an organism information storage unit 
in which organism information is prestored and held, and an auth e ntication m e ans 
authenticator for permitting access to the aforesaid network via the afor e said 
communication terminal by comparing organism information read by the afor e said 
organism recognition device against organism information stored in the afor e said 
organism information storage unit. 

M e anwhil e , th e invention Another exemplary embodiment of the communication 
system is characterized as compromising: A by: a communication terminal comprising 
including a network conn e ction m e ans connector, and [[A]] a portable electronic device 
capable of communicating with the communication terminal; Th e afor e said the 
communication terminal comprises a security e nsuring m e ans ensurer for ensuring 
communication with a network; and Th e afor e said the portable electronic device 
preferably comprises a communication setting information storage unit that stores and 
holds communication setting information needed for communication with the aforesaid 
network via the afor e said security e nsuring m e ans ensurer , an organism recognition 
device such as a fingerprint sensor, etc., an organism information storage unit in which 
organism information is prestored and held, and an auth e ntication m e ans authenticator for 
comparing afor e said organism information read by the aforesaid organism recognition 
device against organism information stored in the organism information storage unit. 
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The inventive communication system, constituted in this manner, is not limited by 
the type of software loaded in a communication terminal having a network 
communication function; the communication terminal is supplied with the functions of 
the software loaded in the portable electronic device its e lf, and various . Various types of 
functions such as security functions, etc. can be supplemented. Therefore, even if a 
communication terminal directly connected to a network is not equipped with functions 
such as a VPN, firewall, virus check, etc., high safety communication is possible by using 
the security e nsuring m e ans ensurers loaded in the portable electronic device. 

Also, the portable electronic device itself does not have an intrinsic physical 
network conn e ction m e ans connector , but when it is connected to a separate 
communication terminal directly connected to a network the portable electronic device is 
virtually present between the network and the communication terminal due to the 
communication terminal's virtual network switch. Therefore the communication terminal 
and the network can communicate utilizing the security ensuring m e ans ensurer loaded in 
the portable electronic device. 

In addition, when the portable electronic device includes an organism recognition 
device, authenticating the person using the organism recognition device makes it possible 
to establish a connection to a specified network on the Internet through a communication 
terminal connected to the network by an intrinsic physical connection (such as a PC, 
wireless phone, etc.) to which the device is connected. 

BRIEF DESCRIPTION OF THE DRAWINGS 
The foregoing aspects and many of the attendant advantages of this invention will 
become more readily appreciated as the same become better understood by reference to 
the following detailed description, when taken in conjunction with the accompanying 
drawings, wherein: 

FIGURE 1 is a block diagram showing the structure of one example of a 
communication system employing the present invention; 
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FIGURE 2 is a block diagram showing the structure of another example of a 
communication system employing the present invention; 

FIGURE 3 is a block diagram showing the structure of yet another example of a 
communication system employing the present invention; 

FIGURE 4 is a diagram explaining an example of the virtual network switch 
provided in the communication terminal in the communication systems of FIGURE 1 
through FIGURE 3; 

FIGURE 5 is a diagram explaining an example of the virtual network switch 
provided in the communication terminal in the communication, systems of FIGURE 1 
through FIGURE 3; 

FIGURE 6 is a block diagram showing the structure of one example of a 
communication system according to another arrangement of the present invention; 

FIGURE 7 is a block diagram showing the structure of a variation of the 
FIGURE 6 communication system; and 

FIGURE 8 is a block diagram showing the structure of another variation of the 
FIGURE 6 communication system[[;]]. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 
B e low, e mbodim e nt s Embodiments of [[a]] communication syst e ms system 
employing the present invention shall be are explained below with reference to the 
drawings. 

FIGURE 1 is a block diagram showing the structure of one example of a 
communication system employing the present invention. This example's communication 
system 1 has includes a communication terminal 2 equipped with a network conn e ction 
m e ans connector 21 such as a PC, portable telephone, etc., and a portable electronic 
device 3 (hereinafter "token") capable of communicating with the communication 
terminal 2. [[It]] The communication terminal 2 can connect to a designated network 5 a 
such as a VPN server, via a communication network 4 such as the Internet. 
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The communication terminal 2 [[has]] includes a virtual network switch 22 that 
can forcibly alter the destination of data transmitted to and from the network 5 to which it 
is connected via the network conn e ction moans connector 21. Using the virtual network 
switch 22, data sent from the network 5 to the communication terminal 2 is transferred to 
the portable electronic device 3, passes through the portable electronic device 3, and is 
returned again to the communication t e rminal 2 f s virtual network switch 22 [[again]] of 
the communication terminal 2 , and then is processed by [[the]] an application 23 of the 
communication terminal 2 ! s application 23 , etc. Data sent from the communication 
terminal 2 to the network 5 also goes from the virtual network switch 22 to the portable 
electronic device 3 and passes through the virtual network switch 22 again and is sent 
toward the destination networks. Thus , while the portable electronic device 3 is 
physically connected to the communication terminal 2, [[but]] it functions as if it were 
interposed between the network 5 and the communication terminal 2 due to the virtual 
network switch 22. 

The portable electronic device 3 has a security e nsuring m e ans ensurer for 
ensuring communication security with the network 5 using the communication terminal 2. 
In this example, it has the security ensurer includes a VPN client function 3 1 and a 
storage unit 32 for storing VPN setting information. 

Ther e for e , in In this e xamples example, communication system 1, after the 
portable electronic device 3 is connected to the communication terminal 2 and they can 
communicate with one another, when communication with the network 5 (i.e., the VPN 
server) starts using the network connector 21 of the communication terminal 2% 
communication conn e ction m e ans 21 , the virtual network switch 22 functions. As a 
result, communication utilizing the VPN client 3 1 of the portable electronic device 3[[ ! s 
VPN]] is formed between the network 5 and the communication terminal 2 3 [sic] . 

H e r e , it It is preferred that the portable electronic device 3 have an organism 
recognition device 33 such as a fingerprint sensor, etc., an organism information storage 
unit 34 in which organism information is prestored and held, and an auth e ntication unit 
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authenticator 35 for authenticating by comparing organism information read by the 
organism recognition device 33 against organism information stored in the organism 
information storage unit 34. 

FIGURE 2 is a block diagram showing the structure of another example of a 
communication system 1A employing the present invention. The communication 
system 1A shown in this drawing is constituted so that management of communication 
t e rminal 2A's the media (hard disk, removable disk, external memory, etc.) of a 
communication terminal 2A and program execution management are handled from 
[[the]]a portable electronic device 3 A [[side]] utilizing the function of the virtual network 
switch 22. 

The communication — t e rminal — 2A% virtual network switch 22 of the 
communication terminal 2A has a function for accessing the communication t e rminal 
SA^s storage media (hard disk, removable disk etc.) of the communication terminal 2A . 
The portable electronic device 3 A is provided with a virus check function module 31 A 
and a virus pattern information storage unit 32A as the security e nsuring m e ans ensurer . 

After the portable electronic device 3A connects to the communication 
terminal 2 A and the person is authenticated, the virus check function module 31 A issues 
a command packet to the communication t e rminal 2A's virtual network switch 22 of the 
communication terminal 2A for accessing the storage medium 24 and the application 23. 
Thus a security check of the communication t e rminal 2A f s various media of the 
communication terminal can be conducted from the portable electronic device 3A 
[[side]]. 

FIGURE 3 is a block diagram showing the structure of yet another example of a 
communication system IB employing the present invention. The communication 
system IB shown in this drawing is constituted so that a firewall function 3 IB and a 
storage unit 32B for [[its]] storing firewall setting information are provided in a portable 
electronic device 3B as the security ensuring moans ensurer . In this communication 
system IB [[too]] the portable electronic device 3B is virtually present between the 
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communication network 4 and the communication terminal 2B due to the function of the 
virtual network switch 22, and detects and reports illegal entry from the outside, so safe 
communication is possible. 

H e r e , th e The virtual network switch 22 provided in the communication 
terminal 2 (2A, 2B) 2, 2A, or 2B can be a virtual IP switch incorporated into the network 
layer in the OSI 7-layer model in TCP/IP, the standard Internet protocol. 

FIGURE 4 is a diagram explaining the OSI 7-layer model. A virtual IP switch 68 
is installed in a network layer 63 in a 7-layer model 6. The virtual IP switch 62 [sic] 68 
switches the packet destination to a higher transport layer 63 [sic] 64 or to the portable 
electronic device 3 (3A, 3B), 3. 3A» or 3B of another network device. No change to the 
various other layers (61, 62, 6 4- 67) 61, 62, and 64-67 is necessary. 

The virtual IP switch 68 has a different mechanism than the usual lay e r 3 layer— 3 
switch; when a packet is transferred to the portable electronic device 3 (3A, 3B) 3. 3A. or 
3B, it is necessary to maintain the original packet's information without loss, so the 
original packet needs to be encapsulated as a packet for transfer. The encapsulated 
packet is restored to the original packet at the destination device 3 (3A, 3B) 3, 3A, or 3B % 
is processed by an application at the device, and the packet is passed to the virtual IP 
switch 68 again. 

Furth e rmor e , FIGURE 5 is a drawing explaining the case when [[this]] the 7-layer 
model is applied to a Windows© Windows® network model. In this drawing, "vsw.sys" 
in the intermediate layer is the virtual network switch. [[This]] The software decides 
whether to transfer a packet to one of the higher protocols in the portable electronic 
device 3 (3A, 3B) 3. 3A. or 3B and the communication terminal 2 (2A, 2B) 2. 2A. or 2B . 
The intermediate layer is a layer commonly used in the Windows network architecture; 
packet filtering software that utilizes this layer is commercially available. 

Next, FIGURE 6 is a block diagram showing the structure of a communication 
system 1C according to the present invention. The communication system 1C has a 
communication terminal 2C and a portable electronic device (token) 3C. The 
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communication terminal 2C has a network communication moans connector 21 A and a 
VPN client function 26. M e anwhile, th e The portable electronic device 3C has a storage 
unit 32C for storing the VPN setting information needed for communication using the 
VPN client function 26. Also, th e The portable electronic device 3C [[has]] also includes 
the organism recognition device 33 such as a fingerprint sensor, etc., the organism 
information storage unit 34 in which organism information is prestored and held, and the 
auth e ntication — unit authenticator 35 for authenticating by comparing organism 
information read by the organism recognition device 33 against organism information 
stored in the organism information storage unit 34. 

The communication system 1C with this constitution puts the program that 
processes security on the communication terminal 2C side, and keeps the information 
necessary for operating it on the token (portable electronic device) 3C side; they work 
together and execute processing according to the result of recognition by the organism 
recognition device 33. 

FIGURE 7 is a block diagram showing the structure of a communication 
system ID with a virus check function employing the present invention. In this 
communication system ID a virus check function (software) 27 is put on the 
communication terminal 2D side, and the virus setting information needed for executing 
it is held in a portabl e e l e ctronic d e vic e 3D f s the storage unit 3 2D of a portable electronic 
device 3D . When authenticated by the organism recognition device 33, the two work 
together and perform a virus check, and safe communication is possible. 

[[Next,]] FIGURE 8 is a block diagram showing the structure of a communication 
system JLE with a firewall function employing the present invention. In this 
communication system IE a personal firewall function 28 is put on the communication 
terminal 2E side, and the portable electronic device 3E has a storage unit 32E for storing 
firewall setting information therefor. In this case too, when a person is authenticated by 
the organism recognition device 33, the two work together and safe communication is 
possible. 
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Industrial Applicability 

As explained above, the inv e ntiv e communication system , including [[and]] the 
communication terminal and portable electronic device^ used in it provide the following 
sort of effects. 

(1) By carrying Carrying around a portable electronic device with an organism 
recognition device according to th e pr e s e nt inv e ntion, th e us e r b e com e s abl e allows a user 
to use any communication terminal having a network communication function anywhere 
to communicate safely with a required resource on the Internet while performing a VPN 
connection or security check. Therefore it is possible to communicate using the best 
useable communication means while maintaining one's own security policy at the 
necessary location without being limited to the security set by the circuit provider. 

(2) It is not necessary to keep information that threatens security in the 
communication terminal[[;]]. VPN connection and personal firewall settings, virus check 
settings, and other communication setting information that pertains to security is 
encrypted and kept in the portable electronic device, so the risk of setting information 
leaking to an outside third party is greatly reduced. 

(3) The load on communication terminals occasioned by security checks is 
reduced, and one can expect improvement in the performance of other processing. 

(4) In connection with (2) above, in ordinary use a it is essentially unnecessary 
for the user himself to become involved in operating VPN client software, etc. Also, it 
becomes possible to make accessing the setting information a restricted task using 
encryption means that only a network administrator can use, thereby greatly reducing the 
risk of someone carelessly altering [[the]] a client software's setting information. As a 
result, one can expect th e r e sult of r e ducing a reduction in a network administrator's work 
and a company's administrative costs. 

(5) An individual can carry the inventive portable electronic device as an ID, 
and can save VPN software that works with that ID, a personal firewall, virus check 
software, and connection-related communication setting information. By doing so, the 
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company that loaned the device does not have to do tasks such as installing VPN client 
software in a newly used communication device or making settings for VPN connection 
when an employee/user is moved to a different post or when replacing communication 
devices such as the PC that is being used. All that is needed is to ensure a 
communication interface with the relevant token[[, sol] . As a result, the network 
administrator's work is greatly reduced. 

(6) In connection with the aforesaid ID, by linking the inventive scheme with 
software such as security software, etc. it becomes possible to authenticate a person using 
an organism recognition device, check license information by issuing the ID to a network 
server after authentication, provide an update function for software installed in the token 
after the license check, etc. This can be reliably done vis-a-vis the person carrying the 
device, not vis-a-vis the terminal. 

(7) If the specifications of a communication terminal are such that it cannot 
provide the application or communication software functions that are being used, instead 
of buying a new communication terminal it is possible to switch only the required 
communication processing ability to another distributed processing device and to carry 
around this sort of distributed processing device; therefore one can always have a stable 
communication environment without carrying around the terminal itself. 

While the preferred embodiment of the invention has been illustrated and 
described, it will be appreciated that various changes can be made therein without 
departing from the spirit and scope of the invention. 
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